@ngocsangairvds/vsaf 3.0.2 → 3.0.3

package/.claude/skills/vsaf-build/SKILL.md

@@ -30,8 +30,8 @@ Với mỗi task trong spec:
 5. Chạy `/opsx:verify` để check task đúng spec
 6. Commit: `git commit -m "feat: <task description>"`
 
-### Bước 4 — ECC (tự động)
-- ECC hooks chạy tự động — không cần gọi thủ công
+### Bước 4 — Security (tự động)
+- Security hooks chạy tự động — không cần gọi thủ công
 - Nếu bị block: đọc message, không dùng `--no-verify` để bypass
 
 ### Bước 5 — Xử lý khi fail

package/.claude/skills/vsaf-ship/SKILL.md

@@ -24,8 +24,8 @@ description: Review 3 lớp, ship code, và ghi lại toàn bộ knowledge vào
 - Kiểm tra: code có implement đúng tất cả FRs/NFRs trong spec không
 - Nếu fail: quay lại `/vsaf-build` để fix
 
-### Bước 3 — Review Layer 3: Security (ECC)
-- Chạy `npx ecc-agentshield scan`
+### Bước 3 — Review Layer 3: Security (Security)
+- Chạy `vsaf verify`
 - Fix tất cả issues trước khi tiếp tục
 - Không skip warnings
 

package/README.md

@@ -14,9 +14,9 @@ tools, $20/month total.
 ├──────────────────────────────────────────────────────────────────────┤
 │  CODE INTEL        GitNexus (MCP backbone) + Graphify (multimodal)   │
 ├──────────────────────────────────────────────────────────────────────┤
-│  MEMORY            claude-mem (auto) + MemPalace (knowledge base)   │
+│  MEMORY            claude-mem (auto) + MemPalace (knowledge base)    │
 ├──────────────────────────────────────────────────────────────────────┤
-│  IMPLEMENTATION    Claude Code + Superpowers + ECC cherry-pick       │
+│  IMPLEMENTATION    Claude Code + Superpowers + security guardrails       │
 └──────────────────────────────────────────────────────────────────────┘
 ```
 
@@ -30,9 +30,9 @@ Requires **Node.js ≥ 18**, **Python ≥ 3.10**, **Git**, **jq**, and a
 
 ```bash
 git clone <this-repo> && cd vsaf
-make setup          # Install all 8 tools (idempotent — safe to re-run)
-make index          # Build knowledge graph
-make status         # Verify everything is working
+npx @ngocsangairvds/vsaf@latest init
+npx @ngocsangairvds/vsaf@latest index
+npx @ngocsangairvds/vsaf@latest status
 ```
 
 One manual post-setup step (requires an interactive Claude Code session):
@@ -64,31 +64,31 @@ first 30 days.
 ```
 .
 ├── .claude/
-│   ├── settings.json       # ECC hooks: block secrets, protect config files
+│   ├── settings.json       # Security hooks: block secrets, protect config files
 │   └── skills/              # Coding standards for Go, Rust, Python
 ├── docs/
 │   ├── architecture/        # Architecture documents (from BMAD Architect)
 │   └── onboarding/          # Developer onboarding (see table above)
 ├── githooks/                # Git hooks (pre-push runs verify + security scan)
-├── graphify-out/            # Graphify output (gitignored, regenerated by make index)
+├── graphify-out/            # Graphify output (gitignored, regenerated by `vsaf index`)
 ├── openspec/                # OpenSpec workspace (proposals, specs, designs, tasks)
 ├── scripts/
-│   └── setup-vsaf.sh       # Full setup automation (called by make setup)
+│   └── setup-vsaf.sh       # Full setup automation (used by `vsaf init`)
 ├── CLAUDE.md                # Claude Code system prompt — workflow rules
-└── Makefile                 # All day-to-day operations
+└── Makefile                 # Legacy wrapper (optional; use `vsaf` commands)
 ```
 
 ## Daily Operations
 
-Run `make help` for the full list. Highlights:
+Run `npx @ngocsangairvds/vsaf@latest --help` for the full list. Highlights:
 
 | Command | What It Does |
 |---|---|
-| `make setup` | Install or update all tools |
-| `make index` | Re-index codebase (GitNexus + Graphify) — run after every merge |
-| `make verify` | Check implementation against OpenSpec specs |
-| `make review` | Full 3-layer review coordinator |
-| `make status` | Show status of all installed tools |
+| `vsaf init` | Install or update all tools |
+| `vsaf index` | Re-index codebase (GitNexus + Graphify) — run after every merge |
+| `vsaf verify` | Check implementation against OpenSpec specs |
+| `vsaf review` | Full 3-layer review coordinator |
+| `vsaf status` | Show status of all installed tools |
 
 All commands — including BMAD agents, OpenSpec, Superpowers, and GitNexus — are
 listed in [3-cheatsheet.md](docs/onboarding/3-cheatsheet.md).
@@ -111,7 +111,7 @@ for a full command-by-command example.
 | **BMAD Method** | AI agents for planning: Analyst, PM, Architect, Product Owner | Free |
 | **OpenSpec** | Spec-driven development: proposals, specs, designs, task lists, verification | Free |
 | **Superpowers** | Methodology engine: brainstorm, plan, TDD execution, code review | Free |
-| **ECC (cherry-pick)** | Security scanner (AgentShield) + git hooks (block secrets) + coding standards | Free |
+| **Security guardrails** | Security scanner + git hooks (block secrets) + coding standards | Free |
 | **GitNexus** | Code knowledge graph via MCP — impact analysis, dependency queries | Free |
 | **Graphify** | Multimodal knowledge graph — visual dependency maps, path tracing | Free |
 | **claude-mem** | Auto-pilot memory — captures sessions, re-injects context next time | Free |

package/assets/templates/.claude/settings.json

@@ -26,7 +26,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "bash scripts/session-end-check.sh"
+            "command": "ISSUES=\"\"; SECRETS=$(git diff --cached --diff-filter=ACM --name-only 2>/dev/null | xargs grep -lE \"AKIA[0-9A-Z]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|xox[bpoas]-|BEGIN.*PRIVATE\" 2>/dev/null) || true; [ -n \"$SECRETS\" ] && ISSUES=\"${ISSUES}WARNING: Possible secrets staged: ${SECRETS} \"; LOGS=$(git diff --cached --name-only 2>/dev/null | xargs grep -lE \"console[.]log|debugger\" 2>/dev/null) || true; [ -n \"$LOGS\" ] && ISSUES=\"${ISSUES}WARNING: Debug artifacts in staged files: ${LOGS} \"; [ -n \"$ISSUES\" ] && echo \"$ISSUES\""
           }
         ]
       }
@@ -53,7 +53,6 @@
       "Bash(npm test:*)",
       "Bash(npm run:*)",
       "Bash(npx:*)",
-      "Bash(make:*)",
       "Bash(python:*)",
       "Bash(node:*)"
     ],

package/assets/templates/CLAUDE.md

@@ -23,7 +23,7 @@ VSAF is a meta-framework for AI-driven SDLC — not an application. It has no so
 | Memory | claude-mem, MemPalace | Session continuity (auto), architecture decisions (manual) |
 | Implementation | Superpowers, Claude Code | TDD execution, code review |
 
-Key directories: `.claude/` (settings + skills), `openspec/` (spec proposals), `scripts/` (helper scripts), `.gitnexus/` (knowledge graph index).
+Key directories: `.claude/` (settings + skills), `openspec/` (spec proposals), `.gitnexus/` (knowledge graph index).
 
 ---
 
@@ -31,13 +31,13 @@ Key directories: `.claude/` (settings + skills), `openspec/` (spec proposals), `
 
 ```bash
 npx vsaf init    # Install all tools (one-time, idempotent)
-make index       # Re-index: gitnexus analyze + graphify update
-make verify      # Check implementation against OpenSpec specs
-make review      # Full 3-layer review coordinator
-make archive     # Archive specs + re-index (post-merge)
-make mine        # Mine conversations into MemPalace
-make status      # Show status of all tools
-make clean       # Clean GitNexus index
+vsaf index       # Re-index: gitnexus analyze + graphify update
+vsaf verify      # Check implementation against OpenSpec specs
+vsaf review      # Full 3-layer review coordinator
+vsaf archive     # Archive specs + re-index (post-merge)
+vsaf mine        # Mine conversations into MemPalace
+vsaf status      # Show status of all tools
+vsaf clean       # Clean GitNexus index
 ```
 
 ---
@@ -95,7 +95,7 @@ After every merge or significant change:
 ```
 gitnexus analyze && /graphify . --update
 ```
-Or: `make index`
+Or: `vsaf index`
 
 ---
 
@@ -165,10 +165,10 @@ Do not approve until every task has a verification step.
 /superpowers:code-review
 
 # Layer 2: Spec compliance
-/opsx:verify               # or: make verify
+/opsx:verify               # or: vsaf verify
 
 # Layer 3: Knowledge graph sync
-make index                  # gitnexus analyze + graphify update
+vsaf index                  # gitnexus analyze + graphify update
 ```
 If Layer 2 fails --> return to Step 7.
 
@@ -180,7 +180,7 @@ PR description must include: OpenSpec proposal link, impact summary, test result
 
 ### Step 10: Archive + Ship
 ```bash
-make archive                # openspec archive + re-index
+vsaf archive                # openspec archive + re-index
 mempalace mine ~/chats/ --mode convos   # Mine decisions
 git tag v<version> && git push --tags
 ```
@@ -222,7 +222,7 @@ git tag v<version> && git push --tags
 | Write code before specs | Spec first, code second: `/opsx:propose` |
 | Skip brainstorm | `/superpowers:brainstorm` before planning |
 | Push without review | 3-layer: Superpowers + OpenSpec verify + re-index |
-| Forget to re-index | `make index` after every merge |
+| Forget to re-index | `vsaf index` after every merge |
 | Create PRs > 400 lines | Split into smaller PRs |
 | Trust AI output blindly | AI writes -> Superpowers reviews -> human approves |
 | Skip impact analysis | GitNexus + Graphify + MemPalace BEFORE coding |

package/assets/templates/Makefile

@@ -1,77 +1,29 @@
-# VSAF v3 — Agentic AI SDLC Framework
-# Day-to-day operations via Make targets.
-# Run `make help` for available commands.
+# Optional compatibility wrapper for teams that still type `make`.
+# Preferred usage: run `vsaf <command>` directly.
 
 .PHONY: help index verify review archive status mine clean
 
-SHELL := /bin/bash
-
-# ── Help ───────────────────────────────────────────────────────────────────────
-
 help: ## Show this help
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \
 		awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-14s\033[0m %s\n", $$1, $$2}'
 
-# ── Knowledge Graph ────────────────────────────────────────────────────────────
-
-index: ## Re-index codebase (GitNexus + Graphify)
-	@echo "==> Re-indexing codebase..."
-	gitnexus analyze
-	@if command -v graphify &>/dev/null; then \
-		graphify . --update 2>/dev/null || echo "[WARN] graphify update failed — run '/graphify . --update' in Claude Code"; \
-	fi
-	@echo "==> Index complete"
-
-# ── Review (3-layer) ──────────────────────────────────────────────────────────
-
-verify: ## Layer 2: Check implementation against OpenSpec specs
-	openspec validate --all
-
-review: ## Run 3-layer review (methodology + spec + re-index)
-	@echo "==> Layer 1: Methodology review"
-	@echo "    Run in Claude Code: /superpowers:code-review"
-	@echo ""
-	@echo "==> Layer 2: Spec compliance"
-	openspec validate --all
-	@echo ""
-	@echo "==> Layer 3: Re-index knowledge graph"
-	$(MAKE) index
-	@echo ""
-	@echo "==> 3-layer review complete"
-
-# ── Spec Lifecycle ─────────────────────────────────────────────────────────────
-
-archive: ## Archive specs + re-index (post-merge)
-	openspec archive
-	$(MAKE) index
-	@echo "==> Archived and re-indexed"
+index: ## Run `vsaf index`
+	@vsaf index
 
-# ── Memory ─────────────────────────────────────────────────────────────────────
+verify: ## Run `vsaf verify`
+	@vsaf verify
 
-mine: ## Mine conversations into MemPalace knowledge base
-	@export PATH="$$HOME/.local/bin:$$PATH"; mempalace mine ~/chats/ --mode convos --extract general
+review: ## Run `vsaf review`
+	@vsaf review
 
-# ── Status ─────────────────────────────────────────────────────────────────────
+archive: ## Run `vsaf archive`
+	@vsaf archive
 
-status: ## Show status of all tools
-	@export PATH="$$HOME/.local/bin:$$PATH"; \
-	echo "==> GitNexus"; \
-	gitnexus status 2>/dev/null || echo "    [not indexed]"; \
-	echo ""; \
-	echo "==> MemPalace"; \
-	mempalace status 2>/dev/null || echo "    [not initialized]"; \
-	echo ""; \
-	echo "==> OpenSpec"; \
-	openspec list 2>/dev/null || echo "    [no active changes]"; \
-	echo ""; \
-	echo "==> Graphify output"; \
-	ls graphify-out/ 2>/dev/null || echo "    [no output — run '/graphify .' in Claude Code]"; \
-	echo ""; \
-	echo "==> claude-mem"; \
-	curl -sf http://localhost:37777 >/dev/null 2>&1 && echo "    Web viewer: http://localhost:37777" || echo "    [web viewer not running]"
+mine: ## Run `vsaf mine`
+	@vsaf mine
 
-# ── Maintenance ────────────────────────────────────────────────────────────────
+status: ## Run `vsaf status`
+	@vsaf status
 
-clean: ## Clean GitNexus index (requires confirmation)
-	@read -p "This will remove the GitNexus index. Continue? [y/N] " confirm && \
-		[ "$$confirm" = "y" ] && gitnexus clean || echo "Aborted."
+clean: ## Run `vsaf clean`
+	@vsaf clean

package/bin/vsaf.js

@@ -11,6 +11,12 @@ USAGE
   vsaf global     Install global infra only  (skills, binaries)
   vsaf project    Scaffold project files only (assumes global done)
   vsaf status     Show installation status
+  vsaf index      Re-index codebase (GitNexus + Graphify)
+  vsaf verify     Check implementation against OpenSpec specs
+  vsaf review     Run 3-layer review flow
+  vsaf archive    Archive specs and re-index
+  vsaf mine       Mine conversations into MemPalace
+  vsaf clean      Clean GitNexus index
 
 GLOBAL  (once per machine → ~/.claude/)
   Skills  : bmad (41), openspec (4), vsaf (5), gitnexus (6)
@@ -21,13 +27,11 @@ PER PROJECT  (per repo, run inside the repo root)
   .claude/skills + .codex/skills  BMAD skills synced for local clients
   _bmad + _bmad-output    BMAD workspace + generated artifacts folders
   CLAUDE.md               10-step workflow rules
-  Makefile                index, verify, review, archive, mine, status
-  scripts/                Session-end check hook
 
 EXAMPLES
   npx vsaf init           # New machine + new project (recommended)
-  npx vsaf global         # Already have projects, new machine
-  npx vsaf project        # Global already done, add VSAF to existing repo
+  npx vsaf verify         # Validate current implementation
+  npx vsaf index          # Refresh code intelligence indexes
   npx vsaf status         # Check what is installed
 `;
 
@@ -55,6 +59,36 @@ async function main() {
       await showStatus();
       break;
     }
+    case 'index': {
+      const { runIndex } = require('../src/workflow');
+      runIndex();
+      break;
+    }
+    case 'verify': {
+      const { runVerify } = require('../src/workflow');
+      runVerify();
+      break;
+    }
+    case 'review': {
+      const { runReview } = require('../src/workflow');
+      runReview();
+      break;
+    }
+    case 'archive': {
+      const { runArchive } = require('../src/workflow');
+      runArchive();
+      break;
+    }
+    case 'mine': {
+      const { runMine } = require('../src/workflow');
+      runMine();
+      break;
+    }
+    case 'clean': {
+      const { runClean } = require('../src/workflow');
+      runClean();
+      break;
+    }
     default:
       console.log(HELP);
       if (cmd && cmd !== '--help' && cmd !== 'help') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ngocsangairvds/vsaf",
-  "version": "3.0.2",
+  "version": "3.0.3",
   "description": "VSAF — Agentic AI SDLC Framework. Spec-driven development, 3-layer review, 7 integrated tools.",
   "keywords": ["claude", "claude-code", "ai", "sdlc", "framework", "bmad", "openspec"],
   "bin": {

package/src/project.js

@@ -24,9 +24,9 @@ async function installProject() {
 
   console.log('\n\x1b[32m\x1b[1m✓ Project ready.\x1b[0m');
   console.log('\n  Next steps:');
-  console.log('    make status         check all tools');
-  console.log('    /graphify .         build knowledge graph (inside Claude Code)');
-  console.log('    /superpowers install install Superpowers plugin (inside Claude Code)\n');
+  console.log('    vsaf status         check all tools');
+  console.log('    vsaf index          build/update knowledge graph');
+  console.log('    /plugin install superpowers@claude-plugins-official\n');
 }
 
 // ── File scaffold ────────────────────────────────────────────────────────────
@@ -37,8 +37,6 @@ function scaffoldFiles() {
   const files = [
     { tpl: '.claude/settings.json', dst: '.claude/settings.json' },
     { tpl: 'CLAUDE.md',             dst: 'CLAUDE.md'             },
-    { tpl: 'Makefile',              dst: 'Makefile'               },
-    { tpl: 'scripts/session-end-check.sh', dst: 'scripts/session-end-check.sh', chmod: 0o755 },
   ];
 
   for (const { tpl, dst, chmod } of files) {

package/src/status.js

@@ -19,8 +19,6 @@ async function showStatus() {
   console.log('\n\x1b[1mProject  (current repo)\x1b[0m');
   checkPath('.claude/settings.json', 'Project settings');
   checkPath('CLAUDE.md',             'Workflow rules');
-  checkPath('Makefile',              'Makefile');
-  checkPath('scripts/session-end-check.sh', 'Session-end hook');
   checkPath('_bmad',                 'BMAD workspace');
   checkPath('_bmad-output',          'BMAD output folder');
   checkProjectSkillDir('.claude/skills', 'Project BMAD skills (.claude)');

package/src/utils.js

@@ -12,8 +12,12 @@ const warn = (msg) => console.log(`  \x1b[33m!\x1b[0m ${msg}`);
 const step = (msg) => console.log(`\n\x1b[1m${msg}\x1b[0m`);
 
 function hasCommand(cmd) {
-  const r = spawnSync(cmd, ['--version'], { stdio: 'ignore', shell: false });
-  return r.status === 0;
+  const versionCheck = spawnSync(cmd, ['--version'], { stdio: 'ignore', shell: false });
+  if (versionCheck.status === 0) return true;
+
+  // Some CLIs don't support --version but are still available on PATH.
+  const pathCheck = spawnSync('sh', ['-c', `command -v "${cmd}"`], { stdio: 'ignore', shell: false });
+  return pathCheck.status === 0;
 }
 
 function exec(cmd, opts = {}) {

package/src/workflow.js

@@ -0,0 +1,83 @@
+'use strict';
+
+const { ok, info, warn, step, hasCommand, exec } = require('./utils');
+
+function runIndex() {
+  step('Index');
+
+  if (!hasCommand('gitnexus')) {
+    warn('gitnexus not found — run: vsaf global');
+    return;
+  }
+
+  info('Running gitnexus analyze...');
+  exec('gitnexus analyze') ? ok('GitNexus index updated') : warn('gitnexus analyze failed — run manually');
+
+  if (!hasCommand('graphify')) {
+    warn('graphify not found — skipping graphify update');
+    return;
+  }
+
+  info('Running graphify update...');
+  exec('graphify . --update') ? ok('Graphify updated') : warn('graphify update failed — run manually');
+}
+
+function runVerify() {
+  step('Verify');
+  if (!hasCommand('openspec')) {
+    warn('openspec not found — run: vsaf global');
+    return;
+  }
+
+  info('Running openspec validate --all...');
+  exec('openspec validate --all') ? ok('OpenSpec verification passed') : warn('OpenSpec verification failed');
+}
+
+function runReview() {
+  step('Review (3-layer)');
+  info('Layer 1: Methodology review — run in Claude Code: /superpowers:code-review');
+  info('Layer 2: Spec compliance');
+  runVerify();
+  info('Layer 3: Knowledge graph sync');
+  runIndex();
+  ok('Review flow completed');
+}
+
+function runArchive() {
+  step('Archive');
+  if (!hasCommand('openspec')) {
+    warn('openspec not found — run: vsaf global');
+    return;
+  }
+
+  info('Running openspec archive...');
+  exec('openspec archive') ? ok('OpenSpec archived') : warn('openspec archive failed — run manually');
+  runIndex();
+}
+
+function runMine() {
+  step('Mine');
+  if (!hasCommand('mempalace')) {
+    warn('mempalace not found — run: vsaf global');
+    return;
+  }
+
+  info('Running mempalace mine ~/chats/ --mode convos --extract general...');
+  exec('mempalace mine ~/chats/ --mode convos --extract general')
+    ? ok('MemPalace mine completed')
+    : warn('mempalace mine failed — run manually');
+}
+
+function runClean() {
+  step('Clean');
+  if (!hasCommand('gitnexus')) {
+    warn('gitnexus not found — run: vsaf global');
+    return;
+  }
+
+  info('Running gitnexus clean...');
+  exec('gitnexus clean') ? ok('GitNexus index cleaned') : warn('gitnexus clean failed — run manually');
+}
+
+module.exports = { runIndex, runVerify, runReview, runArchive, runMine, runClean };
+